b"June 14, 2002\nAudit Report No. 02-022\n\n\nReview of the FDIC\xe2\x80\x99s Strategy for\nManaging Improper Payments\n\x0cFederal Deposit Insurance Corporation                                                          Office of Audits\nWashington, D.C. 20434                                                             Office of Inspector General\n\n\n\n   DATE:            June 14, 2002\n\n\n   TO:              Fred S. Selby, Director\n                    Division of Finance\n\n                    Arleas Upton Kea, Director\n                    Division of Administration\n\n\n   FROM:            Russell A. Rau [Electronically produced version; original signed\n                    by Russell Rau]\n                    Assistant Inspector General for Audits\n\n\n   SUBJECT:         Review of the FDIC\xe2\x80\x99s Strategy for Managing Improper Payments\n                    (Audit Report No. 02-022)\n\n\n   The Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) has\n   completed a review of the FDIC\xe2\x80\x99s strategy for managing improper payments. We conducted the\n   review based on a June 26, 2001, letter from the Chairman and Ranking Minority Member,\n   Committee on Governmental Affairs, United States Senate (Committee). In this letter, the\n   Committee requested that the 24 major federal agencies review an exposure draft of the U.S.\n   General Accounting Office\xe2\x80\x99s (GAO) executive guide entitled Strategies to Manage Improper\n   Payments (GAO-02-69G, issued October 2001). The agencies\xe2\x80\x99 reviews were to focus on\n   evaluating the adequacy of each agency\xe2\x80\x99s internal controls and implementation of those\n   strategies that are appropriate for each agency.\n\n   Although the FDIC was not included in the request to the departments and agencies addressed in\n   the Committee\xe2\x80\x99s letter, we conducted this review to assess what steps the FDIC has taken to\n   control improper payments and determine what additional measures should be taken. The\n   objective of this review was to assess the FDIC\xe2\x80\x99s strategy for managing such payments.\n   Additional details on the review objectives, scope, and methodology are included in Appendix I.\n\n   BACKGROUND\n\n   The Congress created the FDIC under the Banking Act of 1933 to maintain stability and public\n   confidence in the nation\xe2\x80\x99s banking system. The intent was to provide a federal government\n   guarantee of deposits in U.S. depository institutions so that customer funds would be safe and\n   available to customers in the event of a financial institution failure. As required by current law,\n\x0cthe FDIC maintains separate insurance funds for banks and savings associations and a resolution\nfund.1 When an institution fails, the FDIC fulfills its role by paying insured depositors directly\nor arranging for the assumption of the deposits by another financial institution. After an\ninstitution has failed, the FDIC liquidates the failed institution\xe2\x80\x99s assets to replenish the insurance\nfund.\n\nDuring the period January 1, 2000 through December 31, 2001, the FDIC disbursed over\n$4.6 billion in its corporate capacity for program and administrative operations. About\n57.8 percent of the disbursements were for failed financial institution resolutions. The remaining\ndisbursements were primarily for the FDIC\xe2\x80\x99s internal operations. These amounts include salaries\nand benefits (28.9 percent), payments to contractors for corporate activities (8.7 percent), and\ndisbursements for other expenses such as employee travel and assets acquired from failed\ninstitutions (4.6 percent). The following chart shows the composition of the disbursements.\n\n\nFigure 1: FDIC Disbursements from January 1, 2000 through December 31, 2001\n\n\n\n\n                                                            Other   Contractor Services\n                                                            4.6%          8.7%\n\n\n                                                                                                                             9%\n                                                                                                                       28.\n                                                                                                             f   its\n                                                                                                     B   ene\n                                                                                               es/\n                                                                                         ari\n                                                                                   Sal\n                             Failed Financial Institution\n                                     Resolutions\n                                       57.8%\n\n\n\n\nSource: FDIC General Ledger\n\n\n\n\n1\n  The Financial Institutions Reform, Recovery, and Enforcement Act of 1989 (FIRREA) created the Bank Insurance\nFund (BIF), the Savings Association Insurance Fund (SAIF), and the FSLIC Resolution Fund (FRF). It also designated\nthe FDIC as the administrator of these funds. These three funds are maintained separately to carry out their respective\nmandates. The BIF and the SAIF are insurance funds responsible for protecting insured bank and thrift depositors from\nloss due to institution failures. The FRF is a resolution fund responsible for winding up the affairs of the former Federal\nSavings and Loan Insurance Corporation and liquidating the assets and liabilities transferred from the former Resolution\nTrust Corporation.\n\n                                                                         2\n\x0cIn order to assist federal agencies in developing strategies for managing improper payments,\nGAO prepared an executive guide, Strategies to Manage Improper Payments. In developing the\nguide, the GAO identified private and public sector organizations, studied these organizations\xe2\x80\x99\nfinancial management practices, and obtained information on actions these organizations took\nand considered effective in reducing improper payments.\n\nAccording to the GAO guide, improper payments can include inadvertent errors, such as\nduplicate payments and miscalculations, payments for unsupported or inadequately supported\nclaims, payments for services not rendered, and fraud and abuse by program participants and/or\nfederal employees. The guide notes that the basic or root causes of these improper payments can\ntypically be traced to a lack of or a breakdown in internal controls. The guide further highlights\nthe actions taken by the study participants to reduce improper payments and categorized these\nactions into the five general components of internal control: control environment, risk\nassessment, control activities, information and communications, and monitoring. Each\ncomponent is described as follows:\n\n   \xe2\x80\xa2   Control Environment \xe2\x80\x93 creating a culture of accountability by establishing a positive and\n       supportive attitude toward improvement and the achievement of established program\n       outcomes.\n   \xe2\x80\xa2   Risk assessment \xe2\x80\x93 performing comprehensive reviews and analyses of program\n       operations to determine if risks exist and the nature and extent of the risks identified.\n   \xe2\x80\xa2   Control activities \xe2\x80\x93 taking actions to address identified risk areas and help ensure that\n       management\xe2\x80\x99s decisions and plans are carried out and program objectives met.\n   \xe2\x80\xa2   Information and communications \xe2\x80\x93 using and sharing relevant, reliable, and timely\n       financial and non-financial information in managing improper payment-related activities.\n   \xe2\x80\xa2   Monitoring \xe2\x80\x93 tracking improvement initiatives over time and identifying additional\n       actions needed to further improve program efficiency and effectiveness.\n\nThe Senate Committee on Governmental Affairs asked specific questions related to each of these\ncomponents of internal control, and using their questions and GAO\xe2\x80\x99s guide, we evaluated the\nadequacy of the FDIC\xe2\x80\x99s actions for managing improper payments in the five general components\nof internal control. Our general assessment of the FDIC\xe2\x80\x99s efforts is presented in this report, and\nwe summarize the responses to the specific questions and our overall review results in the\nResults of Review section of this report.\n\n\nRESULTS OF REVIEW\n\nThe FDIC has implemented an adequate control environment and has responsive action ongoing\nto address the other four components of internal control over the payment process. Although the\nFDIC has not established a plan that specifically addresses improper payments, the FDIC has\nestablished effective strategies to control payments and mitigate the risk of improper payments.\n\nThe GAO, with the assistance of the OIG, audits the FDIC\xe2\x80\x99s annual financial statements of the\nBIF, SAIF, and the FRF. On May 21, 2002, GAO issued its audit report on the FDIC funds\xe2\x80\x99\n2001 and 2000 financial statements. The GAO concluded that although certain internal controls\n\n                                                3\n\x0cshould be improved,2 FDIC management maintained, in all material respects, effective internal\ncontrol over financial reporting (including safeguarding assets) and compliance as of\nDecember 31, 2001, that provided reasonable assurance that misstatements, losses, or\nnoncompliance that were material in relation to the FDIC funds\xe2\x80\x99 financial statements would be\nprevented or detected on a timely basis.3\n\nThe Corporation recognizes the need to properly control payments and, for the most part, has\ntaken appropriate actions to do so. During our review, the Corporation began to identify the\nlevel of improper payments and in the Statement of Internal Accounting and Administrative\nControls section of the 2001 Chief Financial Officers Act Report, the Corporation plans to report\nthe amount of improper payments made to contractors. For the period January 1, 2000 through\nNovember 15, 2001, the Corporation identified contractor-related improper payments totaling\n$4.4 million (less than 1 percent of total payments made to contractors). Also, the Corporation\nplans to take collection actions depending on the nature and magnitude of such payments. Our\nassessment of the FDIC\xe2\x80\x99s efforts related to the Committee\xe2\x80\x99s specific questions is shown in the\nfollowing table.\n\n\n\n\n2\n  GAO identified weaknesses in FDIC\xe2\x80\x99s information system controls that it considered as a reportable condition.\n3\n  Also, GAO tests for compliance with selected provisions of laws and regulations disclosed no instances of\nnoncompliance that would be reportable under U.S. generally accepted government auditing standards. However, the\nobjective of the financial statement audits was not to provide an opinion on overall compliance with laws and\nregulations.\n\n                                                         4\n\x0c       FDIC OIG\xe2\x80\x99s Assessment of FDIC\xe2\x80\x99s Efforts to Manage the Risk of Improper Payments\n                                                            Responsive   Responsive Action   No Actions\n                        Question                              Action        In Progress        Taken\n                                                            Completed\n                  Control Environment\n\n                                                                \xe2\x80\xa2\n    What does your agency plan to do to create a\n1   culture of accountability that provides a\n    positive and supportive attitude toward\n    improvement and the achievement of\n    established program outcomes?\n                    Risk Assessment\n     To what extent are improper payments in your\n2    agency the result of agency error, a need for\n     improved oversight and monitoring,\n     inadequate eligibility controls, fraud, or other\n     causes? What is the amount of improper                                     \xe2\x80\xa2\n     payments your agency has made in the last\n     two fiscal years? If you do not know the\n     nature and extent of your agency's improper\n     payments, what is your agency doing to find\n     out?\n                    Control Activities\n    What efforts are underway at your agency to\n3   design and implement a plan for significantly\n    reducing the amount of and the potential for\n    making improper payments?\n                                                                                \xe2\x80\xa2\n            Information and Communication\n    How does this plan address security and\n4   privacy concerns related to information needed\n    to carry out the plan? What is your assessment\n    of your agency\xe2\x80\x99s plans to address these issues,\n                                                                                \xe2\x80\xa2\n    the goals it expects to achieve, and the\n    timetable for completing these actions?\n                       Monitoring\n    How will your agency track and report on its\n5   progress? Does it, or will it, establish agency-\n    specific goals or measures for reducing\n    improper payments? Will your agency provide\n    its estimates of improper payments in its\n                                                                                \xe2\x80\xa2\n    annual financial statements or in some other\n    transparent way?\n\n\n\n\n                                                        5\n\x0cOIG\xe2\x80\x99S EVALUATION OF THE FDIC\xe2\x80\x99S INTERNAL CONTROL COMPONENTS\n\nAs a part of this review, we evaluated the FDIC\xe2\x80\x99s internal control components with a focus on\ndetermining what strategies suggested by GAO may be appropriate for the FDIC. Presented\nbelow are the questions asked by the Committee and details of our analysis for each internal\ncontrol component related to managing the risk of improper payments.\n\nControl Environment\n\nWhat does your agency plan to do to create a culture of accountability that provides a positive\nand supportive attitude toward improvement and the achievement of established program\noutcomes?\n\nThe FDIC\xe2\x80\x99s Audit Committee along with the Chief Financial Officer and the Chief Operating\nOfficer set the \xe2\x80\x9ctone at the top\xe2\x80\x9d for a culture of accountability that provides a positive and\nsupportive attitude toward improvement and the achievement of program outcomes. The Audit\nCommittee fulfills oversight responsibilities for the Board of Directors with respect to financial\nreporting, internal controls, and compliance with laws and regulations and assesses the\nsufficiency of the FDIC internal control structure. In addition to the Audit Committee, FDIC\nseeks overall to foster a positive environment toward internal control and conscientious\nmanagement. As evidence of the FDIC\xe2\x80\x99s commitment to strong internal control, the Corporation\nhas established the Office of Internal Control Management (OICM) to administer the corporate\ninternal control program. This office works in partnership with all FDIC divisions and offices to\nhelp them evaluate, monitor, and manage their risks. OICM also works closely with the FDIC\xe2\x80\x99s\nOffice of Inspector General and the GAO in coordinating audit activities and tracking the status\nof corrective actions resulting from audit findings. OICM periodically gives presentations and\nworkshops, provides risk management training, and issues guidance in the form of directives,\nmanuals, and memoranda to enhance awareness of internal control throughout the Corporation.\n\nAs further evidence of a positive control environment, the GAO has issued unqualified opinions\non the financial statements of the BIF, SAIF, and the FRF. The unqualified opinion rendered on\nthe 2001 financial statements marks the tenth consecutive year for this achievement. In addition,\nthe GAO has not identified any material internal control weaknesses or instances of non-\ncompliance with laws and regulations for the last 8 years.\n\nAlso, 31 U.S.C. 3512(d), originally enacted as Section 2 of the Federal Managers\xe2\x80\x99 Financial\nIntegrity Act of 1982, requires executive agencies to evaluate internal control systems and report\nto Congress the results of the evaluation, along with material weaknesses and plans for corrective\nactions. The agency reports the results of its evaluation in the form of a Statement of Internal\nAccounting and Administrative Controls (SIAAC). Though not considered an executive agency\nfor purposes of FMFIA, the FDIC includes its SIAAC in the annual Chief Financial Officers Act\nreport. Accordingly, the FDIC conducts an annual, corporate-wide process that requires\nmanagers to evaluate and certify (through their division/office directors) as to the adequacy of\ntheir systems of internal control to identify and correct control weaknesses and other significant\nvulnerabilities. The FDIC plans to discuss the amount of and goals for reducing improper\n\n\n\n                                                6\n\x0cpayments in its 2001 SIAAC. The OIG conducts a limited review of this evaluation and\nreporting process and issues a memorandum to the Chairman on the results of the review. Since\nthe internal control program became fully established in 1993, the OIG has reported that the\nevaluation and reporting process has provided a reasonable basis for management\xe2\x80\x99s conclusion\nregarding its systems of internal control, as stated annually in a SIAAC. However, as an\nadditional aspect of each of our annual reviews, the OIG makes observations of problems or\nareas needing improvement in the process to OICM as program administrator, and we provide\ncorresponding suggestions for program improvements.\n\nFinally, the OIG contributes to the positive control environment at the FDIC in other ways. The\nOIG continues to fulfill its mission of promoting economy, efficiency, and effectiveness in FDIC\nprograms and operations and protecting against fraud, waste, and abuse. From the period\nJanuary 1, 2000 through September 30, 2001, the OIG identified questioned costs and funds put\nto better use totaling $6.2 million related to contractor payments.4 A portion of this amount is\nalso reflected in the $4.4 million reported by FDIC management in the 2001 SIAAC.\n\nRisk Assessment\nTo what extent are improper payments in your agency the result of agency error, the need for\nimproved oversight and monitoring, inadequate eligibility controls, fraud, or other causes? What\nis the amount of improper payments your agency has made in the last two fiscal years? If you do\nnot know yet the nature and extent of your agency\xe2\x80\x99s improper payments, what is your agency\ndoing to find out?\n\nThe second component of internal control is \xe2\x80\x9crisk assessment,\xe2\x80\x9d and the GAO guide suggests that\nagencies undertake this process to determine the nature and extent of the problem. The FDIC has\nresponsive action in process for the risk assessment component. During our review, the FDIC\ndetermined the extent and cause of improper payments made to contractors. These improper\npayments primarily resulted from the need to improve contractor oversight. However, according to\nthe Corporation, the amount, $4.4 million over a 22-month period, was not considered significant\nbecause it represented less than 1 percent of total contractor payments. In addition, the Corporation\nbelieves that the amount of such payments in other programs and operations is not significant due to\nthe adequacy of internal control and the lack of significant amounts of improper payments identified\nin internal control reviews and audits conducted by the OIG and GAO.\nWe reviewed the FDIC\xe2\x80\x99s risk assessments related to its disbursement processes. FDIC\naccountability unit managers prepare these assessments. As part of its mission to resolve failed\ninstitutions, the FDIC disburses funds to cover its obligation to insured depositors, and these\n4\n  The Inspector General Act of 1978, as amended, defines the term \xe2\x80\x9cquestioned cost\xe2\x80\x9d as a cost that is questioned by the\nOffice because of a) an alleged violation of a law, regulation, contract, grant, cooperative agreement, or other agreement\nor document governing the expenditure of funds; b) a finding that, at the time of audit such cost is not supported by\nadequate documentation; or c) a finding that the expenditure of funds for the intended purpose is unnecessary or\nunreasonable. Also, the amount of funds put to better use represents the amount of funds to be used more efficiently\nrather than amounts that may need to be eventually recovered.\n\n\n\n\n                                                            7\n\x0cdisbursements can be substantial. For example, in 2001, the FDIC disbursed over $1 billion to\nresolve one failed institution. The FDIC recognizes the risks associated with these payments,\nand accountability unit managers document the risk assessment in their Management Control\nPlans (MCP). Concerning resolution disbursements, the MCP includes all the factors suggested\nby GAO\xe2\x80\x99s Internal Control Management and Evaluation Tool (GAO-01-1008G, issued\nAugust 2001). 5\n\nGAO\xe2\x80\x99s Internal Control Management and Evaluation Tool also suggests that an agency consider\nany risks resulting from its interactions with other federal entities. The National Finance Center\n(NFC) is responsible for processing the FDIC\xe2\x80\x99s payroll, the second largest area of disbursements\nfor the FDIC. Since 1997, the NFC has received adverse or qualified opinions on its internal\ncontrols. The FDIC has evaluated the results of audits related to NFC\xe2\x80\x99s internal control and has\nestablished additional control activities to mitigate the risks resulting from the processing of its\npayroll. These controls are discussed below in the control activities section of the report.\n\nAlso, the OIG has conducted billing reviews of FDIC contractors that resulted in questioned costs\nand funds put to better use totaling approximately $6.2 million. Due in part to such findings, the\nFDIC organized a Contract Oversight Management Committee consisting of management officials\nfrom each division that does major contracting at the FDIC and developed a project plan to improve\ncontractor oversight. The project plan includes several action items that the Committee believes\nwill help reduce the number of findings related to contractor oversight. The OIG is continuing to\nperform periodic audits of the oversight and monitoring function to ensure that process\nimprovements are effective in mitigating the risks of improper payments.\n\nIn addition, other audits by the OIG and internal reviews by corporate management either did not\nidentify improper payments or the amount identified was minimal. As mentioned earlier, the\nGAO conducted audits of the FDIC\xe2\x80\x99s financial statements and management\xe2\x80\x99s assertion on the\neffectiveness of internal control. These audits did not identify instances of improper payments.\n\nControl Activities\n\nWhat efforts are underway at your agency to design and implement a plan for significantly reducing\nthe amount of and the potential for making improper payments?\n\nAccording to the GAO guide, once an organization has identified its risks, management should\ndesign control activities to address the risks. Rather than developing a single plan related to\nimproper payments, the FDIC is strengthening a variety of payment-related controls. The FDIC has\nresponsive action in process for the control activities component of the model. For instance, in its\n2001 SIAAC, the FDIC plans to report $4.4 million of improper payments due to improvements\nneeded in contractor oversight. Although the Corporation does not consider this level to be\nsignificant, the FDIC has developed plans to strengthen contractor oversight controls. Specifically,\nthe Contract Oversight Management Committee developed a project plan that defines solutions for\nimproving contract oversight at the FDIC. While the plan does not specifically address improper\n5\n  GAO\xe2\x80\x99s Internal Control Management and Evaluation Tool suggests that the following factors be included in a risk\nassessment: establishment of objectives, identification of risks, analysis of the risks identified, and management of\nrisks (deciding what internal control activities are required to mitigate those risks).\n\n                                                           8\n\x0cpayments, the actions taken should serve to further reduce the risk of improper payments within the\nFDIC\xe2\x80\x99s programs and operations. The action plan includes the following key initiatives: (1) Host a\nbest practices conference, (2) Restructure the contractor oversight training program, (3) Implement\ntools for contractor oversight manager training, (4) Review ethical issues in contracts, (5) Review\ncontract structure, and (6) Automate contractor oversight. In addition to this project plan, the FDIC\nhas implemented other payment controls, including oversight managers\xe2\x80\x99 and contracting officers\xe2\x80\x99\nprepayment reviews, post payment reviews, and internal control reviews.\n\nThe FDIC has internal control activities to reduce the risk of improper payments in other areas and\nhas taken action to implement additional activities to further reduce the risk of future improper\npayments. For example, in order to mitigate the risk of improper payments during the resolution of\nfailed institutions, the FDIC established control activities such as separation of duties, authorization\nof the transaction by appropriate personnel, proper classification and prompt recording of\ntransactions, and complete and accurate documentation of the transaction. These control activities\nwere reviewed during the audits of the FDIC\xe2\x80\x99s financial statements and were found to be effective.\nNo improper payments or weaknesses were identified during the audits.\n\nAlso, as previously mentioned, the NFC is responsible for processing salary and benefit payments\nfor FDIC employees. To address the NFC\xe2\x80\x99s processing control weaknesses, the FDIC has taken\nseveral actions to mitigate the risk of improper payments resulting from the processing of its\npayroll. Initially, the FDIC established a task force to address the risks presented by the NFC. The\ntask force identified existing control activities within the FDIC that mitigate the risks of errors\noccurring during payroll processing and also proposed new control activities. The new controls\nimplemented by the FDIC include confirming gross payroll between the FDIC and the NFC and\nreconciling total employee counts and hours. In addition to these control activities, the FDIC\nestablished internal payroll reviews within each office or division and reviews differences between\namounts submitted and amounts processed by the NFC. These controls are evaluated during the\nannual financial statement audit conducted by the GAO and were found to be effective and\noperating as intended.\n\nIn voluntary compliance with the Federal Financial Management Improvement Act (FFMIA) and\nthe government-wide Joint Financial Management Improvement Program (JFMIP), the FDIC also\ninitiated the New Financial Environment (NFE) project in calendar year 2000 to review FDIC\nbusiness processes and recommend a financial environment that can best serve and support the\nFDIC in the future. The FDIC\xe2\x80\x99s current financial system was implemented in 1986 and has been\nperiodically upgraded to maintain and increase its functionality. The FDIC also has many other\nsystems in its overall financial environment to perform activities that its main system does not\nperform. This arrangement requires many interfaces and reconciliations between the systems. The\nNFE project team has recommended an integrated system solution to further enhance the FDIC\xe2\x80\x99s\nability to meet current and future financial management and financial information needs. This\nintegrated financial system should serve to decrease the FDIC\xe2\x80\x99s potential for making improper\npayments and reduce the risk of other errors occurring in processing its financial data.\n\n\n\n\n                                                   9\n\x0cInformation and Communications\n\nHow does this plan address security and privacy concerns related to information needed to carry\nout the plan? What is your assessment of your agency\xe2\x80\x99s plans to address these issues, the goals it\nexpects to achieve, and the timetable for completing these actions?\n\nThe FDIC has responsive actions in process regarding the information and communications\ninternal control component. For instance, the Government Information Security Reform Act\n(GISRA) provides a comprehensive framework for establishing and ensuring the effectiveness of\ncontrols over information resources that support federal operations.6 Office of Management and\nBudget Circular A-130, Appendix III, requires agencies to implement and maintain a program to\nensure adequate security is provided for all information collected, processed, transmitted, stored,\nor disseminated through general support systems and major applications. The OIG noted in its\nGISRA report that the FDIC had established the management controls needed to provide\nreasonable assurance that its risk management program provided adequate security. However,\nthe FDIC had only partially implemented these controls. Once these controls are fully\nimplemented, we believe that the FDIC will have more reasonable assurance that it is effectively\nsecuring and protecting information from loss, misuse, unauthorized access, or modification. We\nwill continue to monitor FDIC actions to ensure that its plan is effective at addressing the\nsecurity and privacy concerns and that the plan is implemented in a timely manner. Our 2002\nGISRA review will assess the FDIC\xe2\x80\x99s progress in implementing information security controls.\n\nMonitoring\n\nHow will your agency track and report on its progress? Does it, or will it, establish agency-specific\ngoals or measures for reducing improper payments? Will your agency provide its estimates of\nimproper payments in its annual financial statements or in some other transparent way?\n\nThe FDIC has responsive action in process for the monitoring component of internal control, which\nsuggests that agencies track their improvements over time. Notwithstanding the fact that there is a\nlow risk of improper payments in the FDIC\xe2\x80\x99s programs and operations, OICM continues to ensure\nthat the FDIC operates in an environment that is conducive to strong internal controls. In doing so,\nOICM conducts independent internal control reviews (ICRs) on issues of corporate significance to\nassess whether internal accounting and administrative control procedures or functions are operating\nas intended and are accomplishing the control objectives. OICM also administers the corporate\naudit and review tracking system \xe2\x80\x93 the Internal Risks Information System (IRIS). IRIS is used to\nmonitor corrective actions taken on audit recommendations. OICM uses IRIS as a tool to help\nensure that problems identified by audits and other reviews are resolved in a timely manner.\n\nGAO also suggests that agencies establish specific goals and measures for reducing improper\npayments. In the SIAAC section of its annual Chief Financial Officers Act report, the FDIC plans\n6\n  Under GISRA, the FDIC is required to provide the results of an annual review of its information security program and\npractices. To assist agencies in implementing this practice, OMB directed the agencies to address 14 questions. Also\nunder GISRA, the OIG is responsible for evaluating the FDIC\xe2\x80\x99s security program and practices; in doing so, the OIG\nresponded to the same questions as the FDIC. The results of the OIG\xe2\x80\x99s evaluation are reported in its report entitled\nIndependent Evaluation of the FDIC\xe2\x80\x99s Information Security Program Required by the Government Information Security\nReform Act (Audit Report No. 01-022, dated September 20, 2001).\n\n                                                          10\n\x0cto include performance goals and measures that specifically address reducing improper payments.\nThe FDIC plans to report improper payments of less than one percent of payments made to\ncontractors and will strive toward a zero percent goal. In addition, the FDIC\xe2\x80\x99s 2001 Annual\nPerformance Plan included a performance measure to enhance the FDIC\xe2\x80\x99s contractor oversight\nprogram in accordance with the FDIC Contract Oversight Management Committee\xe2\x80\x99s project plan.\nBy accomplishing the action items in the project plan, the FDIC believes that it will ultimately\nfurther reduce its improper payments. Our review of the SIAAC will help ensure these actions are\ncompleted.\n\nAdditionally, the FDIC\xe2\x80\x99s Division of Finance (DOF) monitors improper payments through its\nreviews of expense reports and comparisons of actual budget results with planned results associated\nwith resource workloads. Details of a current year\xe2\x80\x99s expenditures are compared to the prior year\xe2\x80\x99s\nexpenditures as well as the next year\xe2\x80\x99s budget in order to determine the reasonableness and\nrelationships between expense amounts. If significant variances are identified, these amounts are\nanalyzed to determine whether the cause of such variance is appropriate. In addition, DOF produces\nan accounts payable suspect report to identify duplicate payments and suspicious amounts. This\nreport is produced daily and is reviewed by accounts payable staff prior to checks being released.\n\n\nSUMMARY\n\nThe FDIC will shortly complete its calendar year 2001 Chief Financial Officers Act report.\nTogether with the agency evaluation required under GISRA, these activities will provide a means to\nmeasure progress in strengthening controls and reducing vulnerability to improper payments. The\nOIG has initiated a contract audit program that will include examination of contractor billings and\nthat provides regular coverage of disbursements related to receiverships. Together with the annual\nfinancial statement audits by GAO, the corporate internal control program, and senior level\ncommitment to a sound internal control structure, the FDIC is on track to having an effective\nstrategy to manage improper payments.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOur report does not include recommendations for corrective actions. However, we provided our\ndraft report to the Director of DOF and the Director of the Division of Administration. These\ndivisions responded that they had no comments.\n\n\n\n\n                                                11\n\x0c                                                                                     APPENDIX I\n\n                       OBJECTIVE, SCOPE, AND METHODOLOGY\n\n\nObjective\n\nThe objective of the review was to assess the FDIC\xe2\x80\x99s strategy for managing improper payments.\nSpecifically, we determined whether the Corporation has assessed the risk of improper\npayments; the extent to which the Corporation has considered the benefits of implementing\nstrategies to reduce improper payments; and the effectiveness of internal control activities within\nthe Corporation related to improper payments, including the establishment of appropriate goals\nand measures.\n\nScope and Methodology\n\nTo accomplish our objective, we interviewed key representatives from selected divisions and\noffices who were in positions to establish policy or those responsible for identifying and taking\nactions to reduce improper payments. The divisions included the Divisions of Administration\n(DOA), Finance (DOF), Resolutions and Receiverships (DRR), Information Resources\nManagement (DIRM), Legal Division, and the Office of Internal Control Management (OICM).\nWe did not conduct evaluations in offices or divisions that had a minimal impact on the\npayments process.\n\nIn conducting our review, we obtained the 96 management control plans (MCPs) and reviewed\nthe reasonableness of the risk assessments prepared by the FDIC\xe2\x80\x99s accountability unit managers\nfor calendar year 2001. We focused particularly on those units that had the greatest impact on\nimproper payments, such as contract oversight management, contract administration, and\ndisbursements. We also reviewed the FDIC\xe2\x80\x99s 2001 Annual Performance Plan to determine\nwhether the FDIC had established performance goals and measures related to improper\npayments.\n\nOur evaluation included a review of relevant FDIC policies and procedures; the U.S. General\nAccounting Office\xe2\x80\x99s (GAO\xe2\x80\x99s) Executive Guide: Strategies to Manage Improper Payments\n(GAO-02-69G), issued October 2001; GAO\xe2\x80\x99s Standards for Internal Control in the Federal\nGovernment (GAO/AIMD-00-21.3.1), issued November 1999; and other OIG and GAO audit\nreports and internal control management tools related to improper payments and disbursement\ncontrols.\n\nOur work was designed to address questions posed by the Chairman and Ranking Minority\nMember, Committee on Governmental Affairs, United States Senate. We examined\nmanagement control designed to prevent improper payments and reviewed MCPs and the FDIC\nperformance plan. We also relied on earlier work, including the work performed by the GAO\nduring its financial statement audits, on which we assisted. The review was conducted from the\nperiod August 2001 through May 2002 in accordance with generally accepted government\nauditing standards.\n\n\n                                                12\n\x0c"